2) WSFuzzer is good for what it does, but it doesn't cover everything...

3) Most people say they use SoapUI (very nice tool) linked with the Burp Suite (also very nice). Both tools support client certificate authentication. I can see great value in using these two tools after an automated vulnerability scan, but do you start your VA with them?

Also, there have been new little tools here and there, metasploit modules and other stuff, but not much in terms of automated vulnerability scans for XSS, CSRF, SQLi, XPATH injection and all the other WS-related vulnerabilities...

I haven't had much luck automating this type of thing. I actually just gave up on looking and made some hack-job in Python. The SUDS library (http://pypi.python.org/pypi/suds) was quick and easy to use, but it didn't respond to anomalous conditions well (which is what we're looking for). I'd use this for enumeration and review of valid operations, but go with something custom for the attack portion.

What I ended up doing was creating an XML template for their configuration and changed specific values in it as I iterated over a list. It required a bit of manual effort at the onset, but it definitely saved me time overall.

Hello H1t M0nk3y, from my experience, I used SoapUI to test web services. With the flexibility of input options the web service could use, I have never used an automated tool to test it. I think the result won't be good enough.

The WS stuff I've been coming up on, lately, in pentests, really drives home the need for better tools / more consistent approaches. Not that individual tools and manual testing don't work, but it would be nice to have something that played a little nicer.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

- ability to do automatic character / string detection / encoding in url's, etc- Dictionary - ability to use and / or create file with current (and formerly found) WDSL method and element info, for reuse

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

I've been using SoapUI and proxying it through Burp to leverage all that functionality. There are also fuzzing capabilities from within SoapUI but I've had better luck with Burp.

I've also found that a lot of the commercial tools are lacking for web services. Accunetix for example does support WS but not .NET WS ?! We have a "feature request" in but doesn't sound promising. Netsparker doesn't support it at all...

Thanks for the useful comments. I will look at ZAP closely before creating a new tool from scratch. No sense re-inventing the wheel if I don't need to...

Back to the scope, I agree that supporting the .Net web services is very important, but it's not that easy (too bad Microsoft always has to do their own things, like DataSet in WS). It could be easier to support the basic stuff, but the special .Net cases and exceptions could be tough to deal with.

Yeah, when it comes to Web Services it's hard to find any good tools. I did go through quite a few presentations (Don't drop the soap, etc.) and tools (WS Digger/Fuzzer, Acunetix, etc.) but none of them were very efficient.

Using SoapUI and Burp with e.g. the Intruder module is an easy way to fuzz. Just make sure you have a working WS request first that issues a normal response, so you have a base to start out with.

I wish there was a decent WS-scanner though, like something that actually works better than any tools out there, as I even have to spend a lot of time using SoapUI as well sometimes, when I have to figure out how the requests are formed, when the WSDL response is returning too much information about optional fields that does nothing.